[SID: 23179] Intrusion Detection alerts received on a Symantec Endpoint Protection client for ntoskrnl.exe

book

Article ID: 152354

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Why am I receiving alerts for ntoskrnl.exe on a SEP client? Is SEP truly blocking a legitimate Windows process or is this some type of attack?

 

Symptoms
Logs will contain alerts very similar to the following:


Severity: Critical, Event: Intrusion Detection System, Description: [SID: 23179] MSRPC Server Service BO detected.
Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe

This may also be listed as "OS Attack: MSRPC Server Service RPC CVE-2008-4250"

 

 

Cause

This is an Intrusion Prevention System (IPS) alert. This alert most likely indicates that a threat is trying to exploit Windows vulnerabilities in the Server service's handling of MSRPC requests, as described in Microsoft Security Bulletin MS08-067. The most well known threat which targeted this vulnerability is the W32.Downadup (aka Conficker) family of worms.

Resolution

Check for any detections of W32.Downadup or other threats within your environment, and take steps to isolate and then clean the affected systems.

Apply all critical Windows Updates throughout the environment as soon as possible to resolve any unpatched vulnerabilities. Please see the following article for further information: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

In the event this doesn't resolve the issue, please contact Symantec Technical Support for further assistance.

If you need to contact support for this issue, please have SymHelp output available, as well as a Microsoft Baseline Security Analyzer (MBSA) report for the affected system if possible.